[Hidden-tech] Lenovo pre-installed adware

Chris Hoogendyk hoogendyk at bio.umass.edu
Fri Feb 20 12:53:27 EST 2015


Following is the notification that just came in from NCCIC and US-CERT. It succinctly spells out the 
details and gives links to remediation short of nuking your installed OS.


---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator
   c/ /'_ --- Biology & Geology Departments
  (*) \(*) -- 347 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk at bio.umass.edu>

---------------

Erdös 4




-------- Forwarded Message --------
Subject: 	TA15-051A: Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing
Date: 	Fri, 20 Feb 2015 11:09:53 -0600
From: 	US-CERT <US-CERT at ncas.us-cert.gov>
Reply-To: 	US-CERT at ncas.us-cert.gov
To: 	hoogendyk at bio.umass.edu



NCCIC / US-CERT

National Cyber Awareness System:

TA15-051A: Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing 
<https://www.us-cert.gov/ncas/alerts/TA15-051A>
02/20/2015 07:07 AM EST

Original release date: February 20, 2015


      Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed and potentially others.


      Overview

“Superfish” adware installed on some Lenovo PCs install a non-unique trusted root certification 
authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.


      Description

Starting in as early as 2010, Lenovo has pre-installed Superfish VisualDiscovery spyware on some of 
their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order 
to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA 
certificate for “Superfish.” All browser-based encrypted traffic to the Internet is intercepted, 
decrypted, and re-encrypted to the user’s browser by the application - a classic “man in the middle” 
attack.  Because the certificates used by Superfish are signed by the CA installed by the software, 
the browser will not display any warnings that the traffic is being tampered with.  Since the 
private key can easily be recovered from the Superfish software, an attacker can generate a 
certificate for any website that will be trusted by a system with the Superfish software installed.  
This means websites, such as banking and email, can be spoofed without a warning from the browser.

Although Lenovo has [1] stated <http://news.lenovo.com/article_display.cfm?article_id=1929> they 
have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came 
with the software already installed will continue to be vulnerable until corrective actions have 
been taken.

The underlying SSL decryption library from Komodia has been found to be present on other 
applications, including “KeepMyFamilySecure.”  Please refer to CERT [2] Vulnerability Note VU#529496 
<http://www.kb.cert.org/vuls/id/529496> for more details and updates.

To detect a system with Superfish installed, look for a HTTP GET request to:

superfish.aistcdn.com

The full request will look like:

http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is 
sent when a computer is turned off.


      Impact

A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks 
without a warning from the browser.


      Solution

*Uninstall Superfish VisualDiscovery and associated root CA certificate*

Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case 
of Lenovo PCs, this includes Superfish Visual Discovery.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does 
not remove the certificate. Microsoft provides guidance on [3] deleting 
<https://technet.microsoft.com/en-us/library/cc772354.aspx> and [4] managing 
<http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates> certificates in 
the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root 
certification authority certificate is issued to “Superfish, Inc.”

Mozilla provides similar [5] guidance 
<https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate> for their software, including 
the Firefox and Thunderbird certificate stores.


      References

  * [1] Lenovo Statement on Superfish (external link)
    <http://news.lenovo.com/article_display.cfm?article_id=1929>
  * [2] CERT VU#529496 (external link) <http://www.kb.cert.org/vuls/id/529496>
  * [3] Delete a Certificate (external link) <https://technet.microsoft.com/en-us/library/cc772354.aspx>
  * [4] View or Manage a Certificate (external link)
    <http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates>
  * [5] Deleting a root certificate (external link)
    <https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate>


      Revision History

  * February 20, 2015

----------------------------------------------------------------------------------------------------

This product is provided subject to this Notification <http://www.us-cert.gov/privacy/notification> 
and this Privacy & Use <http://www.us-cert.gov/privacy/> policy.

----------------------------------------------------------------------------------------------------
OTHER RESOURCES:
Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications 
<http://www.us-cert.gov/security-publications> | Alerts and Tips <http://www.us-cert.gov/ncas> | 
Related Resources <http://www.us-cert.gov/related-resources>

STAY CONNECTED:
Sign up for email updates <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>

SUBSCRIBER SERVICES:
Manage Preferences 
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>  | Unsubscribe 
<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.9a51401e19567d259aea1f5b0123f85f&destination=hoogendyk@bio.umass.edu>  | 
Help <https://subscriberhelp.govdelivery.com/>

----------------------------------------------------------------------------------------------------
This email was sent to hoogendyk at bio.umass.edu using GovDelivery, on behalf of: United States 
Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · 
(703) 235-5110 	Powered by GovDelivery <http://www.govdelivery.com/portals/powered-by>






On 2/20/15 11:16 AM, Jeff Brand wrote:
> I believe it was the Geek Squad's crapware that inspired this tool which
> might help non-techies do it themselves.
> http://www.pcdecrapifier.com/
>
> Windows 8.1's licensing and tools have made it easier to create a clean
> install as well.
> http://arstechnica.com/gadgets/2015/02/save-yourself-from-your-oems-bad-decisions-with-a-clean-install-of-windows-8-1/
>
> The only questionable step is vendor driver support.
>
> I think that Lenovo's mistakes are severe enough to create some serious
> outcry and change acceptance of bundled software by the general public.
> All it needs to do is cost them more in sales and legal fees than it earns.
>
> On 2/20/2015 7:56 AM, Robert Heller wrote:
>> This whole thread is a clear argument *against* the idea of OEMs
>> pre-installing *any* [O/S] software. Not that I expect end-users to be
>> installing O/S (or really any) software either (that is often a completely
>> different can of worms). What is really needed is a sort of 'Jiffy Lube' type
>> of business for computers -- places where non-techies can go to have their
>> computers 'serviced' -- from O/S installs to 'regular maintaince' (eg regular
>> software updates and general admin work).  Someplace that is a 'disintersted
>> third party', that is not in the pay of some outside interest that would have
>> any influence relating to which O/S or what O/S (or other software) settings
>> or default preferences, etc.
>>
>> Having an entity with a 'vested' interest installing any software is really a
>> bad idea.
>>
>> At Thu, 19 Feb 2015 19:01:21 -0500 Roger Williams <roger at qux.com> wrote:
>>
>>> Those who are concerned their PC may contain this critical vulnerability (all of the recent Lenovo G, U, Y, Z, S, Flex, MIIX, YOGA, and E Series) can check at https://filippo.io/Badfish/. (The website was designed by one of the same researchers who published a site to scan websites for the catastrophic Heartbleed weakness in OpenSSL.)
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20150220/fc0f276b/attachment.html 


Google

More information about the Hidden-discuss mailing list